Early Glupteba campaigns used compromised Linux-based web servers to distribute the malware, however, later campaigns shifted to an unidentified adware-as-a-service platform for delivery. The most recent campaigns have now begun using an unnamed preliminary dropper delivered via malvertising to install Glupteba.

Trend Micro has identified a new strain that contains a browser stealer for sensitive data and a routine exploiter for MikroTik routers via the CVE-2018-14847 vulnerability.

Once delivered, Glupteba will connect to a command and control server (see below) before attempting to extract account data, browser profiles and passwords using an additional key logging module. It will then enumerate the local network to discover any Internet-of-Things devices, installing a SOCKS proxy on any it finds. Glupteba is also able to install other payloads including cryptocurrency miners and ransomware tools.